Skip to main content

HashiCorp Products Used

CanvaCustomer Story

Redesigning secrets management

Canva uses HashiCorp Vault to eliminate secret sprawl and centralize secret management.

Download customer story
  • Eliminated secret sprawl and improved visibility across systems
  • Automated secret rotation to minimize security risks
  • Secured 2 million monthly builds and backend secret reads
  • Enhanced scalability with Vault's extensibility features
  • Reduced operational disruption with a seamless, phased migration

Canva

Canva is a global online visual communications platform on a mission to empower the world to design. Used by over 90% of Fortune 500 companies across 190 countries, Canva stands out as the leader in accessible, user-friendly graphic design solutions.

When we were looking for a solution, one of the things we really cared about was extensibility, and Vault really shines on this. It's really pluggable, with the ability to develop custom auth engines and secrets engines, which means the runway is unlimited.

- Anthony Ralston, Senior Software Engineer, Cloud Security, Canva

Canva is a global online visual communications platform on a mission to empower the world to design. Used by over 90% of Fortune 500 companies across 190 countries, Canva stands out as the leader in accessible, user-friendly graphic design solutions.

As a SaaS company serving both B2B and B2C clients, Canva relies on numerous APIs, databases, and services that require secure management of access credentials. The sheer scale of its customer base (over 170 million monthly users) demands a sound infrastructure that can support millions of monthly secret reads.

Secrets used to be sprawled across multiple stores, compromising visibility and multiplying security risks. This decentralized approach to secrets management created significant manual overhead that made scaling IT operations challenging.

To address this, Canva implemented HashiCorp Vault to centralize and automate secrets management. It took an iterative approach and started by migrating its build systems to Vault, integrating a custom authentication plugin for Buildkite agents using OIDC. This ensured agents had short-lived, pipeline-specific access to secrets, significantly enhancing security posture. Following this success, Canva expanded Vault usage to its backend systems, seamlessly migrating 80% of them. Vault currently vends secrets for two million builds a month and fields two million secret reads for Canva backends.

Outcomes

  • Eliminated secret sprawl and improved visibility across systems
  • Automated secret rotation to minimize security risks
  • Secured 2 million monthly builds and backend secret reads
  • Enhanced scalability with Vault's extensibility features
  • Reduced operational disruption with a seamless, phased migration

Canva Partner

  • Anthony Ralston Senior Software Engineer, Cloud Security Canva

    Anthony Ralston is a software engineer for the Cloud Security team at Canva. The team is responsible for the roll out of HashiCorp Vault and has been on a mission to migrate all static secrets and make them dynamic over the last two years.

Ready to get started?